Jump to content


Photo
- - - - -

Browser Hijacker - Again


  • This topic is locked This topic is locked
33 replies to this topic

#1 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 15 May 2011 - 12:20 AM

Thanks in advance, you guys helped me back in 2008, and now I have a similar problem with a browser hijacker.

Briefly, I had a the 'XP Security Center' mal appear a few days ago along with a browse hijacker that would redirect to findsutff.com, and I was able to remove them with Malwarebytes and Avira. I still have a browser hijacker that redirects searches to icityfind.com, but it doesn't do it every time I perform a search. In any case i appreciate any help you can offer:

This is my latest mbam log

Malwarebytes' Anti-Malware 1.44
Database version: 3730
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/13/2010 12:35:35 AM
mbam-log-2010-06-13 (00-35-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 271054
Time elapsed: 2 hour(s), 50 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And this is the results of DDS

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dennis at 13:19:59.89 on Sat 05/14/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1220 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dennis\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dennis\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110512215306.dll
BHO: {A095A6F6-B7E8-40E2-9A80-A235566C0FE6} - No File
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CAdBlocker Object: {e24ad748-155e-4254-b674-4edf86e7e1df} - c:\progra~1\acronis\privac~1\Blocker.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
StartupFolder: c:\docume~1\dennis\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\dennis\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - c:\progra~1\acronis\privac~1\Blocker.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dennis\applic~1\mozilla\firefox\profiles\f0hdd127.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Zotero: zotero@chnm.gmu.edu - %profile%\extensions\zotero@chnm.gmu.edu
FF - Ext: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - %profile%\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {D7427597-ECD1-485E-ACCE-2A58EC457E82} - c:\documents and settings\suzi2\local settings\application data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}
FF - Ext: XULRunner: {68088CAC-141C-40D2-9A7A-F8B10F9B656E} - c:\documents and settings\dennis\local settings\application data\{68088CAC-141C-40D2-9A7A-F8B10F9B656E}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-2 387480]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-13 11608]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-1 84200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-12 61960]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-12 363344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-14 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-1 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-1 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-1 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-1 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-12 20952]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-2 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-2 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-1 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-1 88736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-30 133104]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-12-26 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-30 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-1 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-1 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-2 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-2 40552]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-13 05:39:40 -------- d-----w- c:\docume~1\dennis\applic~1\Avira
2011-05-13 05:31:16 -------- dc----w- c:\docume~1\alluse~1\applic~1\Avira
2011-05-13 05:31:16 -------- d-----w- c:\program files\Avira
2011-05-06 01:03:28 -------- d-----w- c:\windows\system32\LogFiles
2011-05-05 23:41:05 -------- d-----w- c:\program files\Cisco Systems
2011-05-05 23:15:25 -------- dc----w- c:\docume~1\alluse~1\applic~1\Cisco Systems
2011-05-03 07:05:14 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-02 13:34:03 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-02 13:34:03 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-02 13:34:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-02 01:23:22 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-05-02 01:21:46 -------- dc----w- c:\documents and settings\all users\Microsoft
2011-05-02 01:21:46 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-05-02 01:06:32 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-04-23 22:04:22 -------- d-----w- c:\docume~1\dennis\locals~1\applic~1\{68088CAC-141C-40D2-9A7A-F8B10F9B656E}
2011-04-23 21:37:13 0 ----a-w- c:\windows\Griku.bin
2011-04-20 01:41:12 98304 ----a-w- c:\windows\system32\hpzjsn01.dll
2011-04-20 01:41:11 606208 ----a-w- c:\windows\system32\hpotscl.dll
2011-04-20 01:41:11 258122 ----a-w- c:\windows\system32\hpovst08.dll
2011-04-20 01:40:18 180315 ----a-w- c:\windows\system32\hpzsnt12.dll
2011-04-18 17:29:27 -------- dc----w- C:\spoolerlogs
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ------w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ------w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2001-05-24 16:59:30 162304 ----a-w- c:\program files\UNWISE.EXE
.
============= FINISH: 13:22:47.92 ===============

Attached Files



#2 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 18 May 2011 - 02:45 PM

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.


Next, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.


-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 18 May 2011 - 08:02 PM

Thanks for your help,

this is the updated MBAM log file

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/18/2011 7:11:11 PM
mbam-log-2011-05-18 (19-11-11).txt

Scan type: Quick scan
Objects scanned: 191864
Time elapsed: 15 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

this is the cf log:

ComboFix 11-05-17.03 - Suzi2 05/18/2011 19:19:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1418 [GMT -4:00]
Running from: c:\documents and settings\Suzi2\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Suzi2\Application Data\Adobe\plugs
c:\documents and settings\Suzi2\Application Data\Adobe\shed
c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}
c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\chrome.manifest
c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\chrome\content\_cfg.js
c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\chrome\content\overlay.xul
c:\documents and settings\Suzi2\Local Settings\Application Data\{D7427597-ECD1-485E-ACCE-2A58EC457E82}\install.rdf
c:\windows\system32\regobj.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-18 02:15 . 2011-05-18 02:15 -------- dc----w- c:\documents and settings\Suzi2\Application Data\SUPERAntiSpyware.com
2011-05-18 02:11 . 2011-05-18 02:11 -------- dc----w- c:\documents and settings\Suzi2\Application Data\Avira
2011-05-13 05:31 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-13 05:31 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-05-13 05:31 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-05-13 05:31 . 2011-05-13 05:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira
2011-05-13 05:31 . 2011-05-13 05:31 -------- d-----w- c:\program files\Avira
2011-05-06 01:03 . 2011-05-06 01:03 -------- d-----w- c:\windows\system32\LogFiles
2011-05-05 23:41 . 2011-05-06 22:03 -------- d-----w- c:\program files\Cisco Systems
2011-05-05 23:15 . 2011-05-05 23:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Cisco Systems
2011-05-03 07:05 . 2011-05-03 07:05 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-02 13:34 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-02 13:34 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-02 01:23 . 2011-05-02 01:23 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-05-02 01:21 . 2011-05-02 01:21 -------- dc----w- c:\documents and settings\All Users\Microsoft
2011-05-02 01:21 . 2011-05-02 01:21 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-05-02 01:21 . 2011-05-02 01:21 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-05-02 01:06 . 2011-05-02 01:06 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-04-23 21:37 . 2011-05-13 04:57 0 ----a-w- c:\windows\Griku.bin
2011-04-20 01:41 . 2011-04-20 01:41 -------- dc----w- c:\documents and settings\Suzi2\Application Data\HP
2011-04-20 01:41 . 2005-02-05 02:58 98304 ----a-w- c:\windows\system32\hpzjsn01.dll
2011-04-20 01:41 . 2005-04-08 15:51 258122 ----a-w- c:\windows\system32\hpovst08.dll
2011-04-20 01:41 . 2005-04-08 15:51 606208 ----a-w- c:\windows\system32\hpotscl.dll
2011-04-20 01:40 . 2005-03-18 18:32 180315 ----a-w- c:\windows\system32\hpzsnt12.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 18:01 . 2010-08-01 15:09 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 18:01 . 2010-08-01 15:09 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-14 18:01 . 2010-08-01 15:09 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 18:01 . 2010-08-01 15:09 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 18:01 . 2010-08-01 15:09 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 18:01 . 2010-08-01 15:09 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 18:01 . 2010-08-01 15:09 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 18:01 . 2007-02-03 00:17 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 18:01 . 2007-02-03 00:17 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 18:01 . 2007-02-03 00:17 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-01 21:07 . 2010-02-12 20:39 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-07 05:33 . 2007-02-02 18:13 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2003-07-16 20:49 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2001-05-24 16:59 . 2008-05-26 02:53 162304 ----a-w- c:\program files\UNWISE.EXE
2011-04-14 18:01 . 2010-08-01 15:09 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-03 65536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-02-01 385024]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-02-12 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-02-12 05:43 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\WINDOWS\\system32\\vssvc.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/1/2010 11:09 AM 84200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/13/2011 1:31 AM 136360]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [12/15/2010 2:22 PM 1085440]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/12/2010 4:14 AM 363344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/14/2008 9:41 PM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/1/2010 11:09 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/1/2010 11:09 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/1/2010 11:09 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/1/2010 11:09 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/1/2010 11:09 AM 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/12/2010 4:14 AM 20952]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/1/2010 11:09 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/1/2010 11:09 AM 88736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2009 2:17 PM 133104]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/26/2010 11:54 PM 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2009 2:17 PM 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/1/2010 11:09 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/1/2010 11:09 AM 84488]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2003-09-19 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-02-05 21:35]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-30 18:17]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-30 18:17]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Suzi2\Application Data\Mozilla\Firefox\Profiles\3t77m5o6.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A095A6F6-B7E8-40E2-9A80-A235566C0FE6} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
HKCU-Run-Mgekewori - c:\windows\lsonet.dll
AddRemove-HijackThis - c:\documents and settings\Dennis\My Documents\HiJackThis\HijackThis.exe
AddRemove-Shockwave - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-{E6358333-B89B-4243-8477-647C9360B5D9}_is1 - c:\documents and settings\Dennis\Local Settings\Application Data\Batchwork\Ppt-2-Ppt\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 19:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-05-18 19:32:51
ComboFix-quarantined-files.txt 2011-05-18 23:32
ComboFix2.txt 2010-02-18 03:43
.
Pre-Run: 22,931,062,784 bytes free
Post-Run: 23,875,989,504 bytes free
.
- - End Of File - - C2327102AC15334966ABD365DC16749D


and the two DDS logs

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2/2/2007 1:20:29 PM
System Uptime: 9/19/2003 1:33:07 AM (67171 hours ago)
.
Motherboard: Dell Computer Corp. | | 0K0057
Processor: Intel® Pentium® 4 CPU 2.66GHz | Microprocessor | 2660/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 22.251 GiB free.
D: is CDROM ()
F: is FIXED (NTFS) - 297 GiB total, 243.901 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP428: 4/28/2011 3:49:36 AM - System Checkpoint
RP429: 4/29/2011 4:49:35 AM - System Checkpoint
RP430: 4/30/2011 5:49:34 AM - System Checkpoint
RP431: 4/30/2011 10:28:10 AM - Software Distribution Service 3.0
RP432: 5/1/2011 11:02:07 AM - System Checkpoint
RP433: 5/1/2011 8:57:11 PM - Installed Microsoft Office Professional Plus 2010
RP434: 5/1/2011 9:01:49 PM - Installed Microsoft Office Professional Plus 2010
RP435: 5/1/2011 9:33:22 PM - Printer Driver Send To Microsoft OneNote 2010 Driver Installed
RP436: 5/2/2011 10:21:31 AM - Software Distribution Service 3.0
RP437: 5/3/2011 3:00:50 AM - Software Distribution Service 3.0
RP438: 5/4/2011 3:00:25 AM - Software Distribution Service 3.0
RP439: 5/5/2011 3:16:06 AM - System Checkpoint
RP440: 5/6/2011 4:08:39 AM - System Checkpoint
RP441: 5/7/2011 3:00:42 PM - System Checkpoint
RP442: 5/8/2011 3:28:41 PM - System Checkpoint
RP443: 5/9/2011 3:49:27 PM - System Checkpoint
RP444: 5/10/2011 4:49:27 PM - System Checkpoint
RP445: 5/11/2011 5:49:27 PM - System Checkpoint
RP446: 5/12/2011 3:00:20 AM - Software Distribution Service 3.0
RP447: 5/15/2011 1:42:36 AM - System Checkpoint
RP448: 5/16/2011 2:30:54 AM - System Checkpoint
RP449: 5/17/2011 3:31:10 AM - System Checkpoint
RP450: 5/17/2011 9:54:22 PM - Restore Operation
RP451: 5/17/2011 10:02:59 PM - Restore Operation
.
==== Installed Programs ======================
.
.
1400
1400_Help
1400Trb
AcronisPrivacy Expert Suite
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader X (10.0.1)
AiO_Scan
AiOSoftware
AnswerWorks 5.0 English Runtime
ArcGIS Desktop 9.4
Avira AntiVir Personal - Free Antivirus
Broadcom 440x 10/100 Integrated Controller
BufferChm
Carbonite
Cisco Connect
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V.9x 56K DF PCI Modem
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CreativeProjects
CreativeProjectsTemplates
CueTour
Definition update for Microsoft Office 2010 (KB982726)
Dell ResourceCD
Destinations
DeviceManagementQFolder
DocProc
DocumentViewer
eSupportQFolder
Fax
File Type Assistant
Final Media Player 2011
FlipShare
Free Window Sweeper
FTDI USB Serial Converter Drivers
GeoDa 0.9.5-i (Beta)
Google Earth
Google Update Helper
GraphSight
HeavyWeatherPublisher 1.0
HeavyWeatherReview 1.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone 4.7
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
HPS Campaign Vicksburg
HPSystemDiagnostics
IDRISI Taiga
InstantShare
ISI ResearchSoft - Export Helper
J2SE Runtime Environment 5.0 Update 10
Java™ 6 Update 2
Java™ 6 Update 21
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
JD Secure 3.1
jZip
LeapFrog Connect
LeapFrog Tag Plugin
Malwarebytes' Anti-Malware
Map Maker Pro 3.5
McAfee AntiVirus Plus
McAfee Virtual Technician
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 14
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Moyea FLV Downloader version 1.16.0.17
Moyea FLV Player version 1.0.0.0
Mozilla Firefox (3.6.17)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy
PanoStandAlone
PhotoGallery
PlayFLV
PowerDVD
ProductContext
Python 2.4.1
Python 2.5 numpy-1.0.3
Python 2.5.1
QFolder
Quicken 2010
QuickTime
Quintessential Player
Readme
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Excel 2010 (KB2466146)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft PowerPoint 2010 (KB2519975)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
SolutionCenter
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
SPSS Statistics 17.0
Status
SUPERAntiSpyware Free Edition
TrayApp
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
TurboTax 2010 wvaiper
Unload
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2010 (KB2202188)
Update for Microsoft Office 2010 (KB2413186)
Update for Microsoft OneNote 2010 (KB2493983)
Update for Microsoft Outlook Social Connector (KB2441641)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
WebFldrs XP
WebReg
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
5/16/2011 11:19:05 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service CarboniteService with arguments "" in order to run the server: {36471C67-6A93-4434-92CC-4C614CD06666}
5/16/2011 10:25:39 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
5/16/2011 10:14:31 PM, error: Service Control Manager [7034] - The spkrmon service terminated unexpectedly. It has done this 1 time(s).
5/13/2011 2:07:47 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: TfFsMon TfSysMon
5/12/2011 11:55:55 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
5/12/2011 11:46:13 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the CarboniteService service, but this action failed with the following error: An instance of the service is already running.
5/12/2011 11:45:12 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/12/2011 11:45:01 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/12/2011 11:44:40 PM, error: Service Control Manager [7031] - The CarboniteService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
.
==== End Of File ===========================

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Suzi2 at 20:40:53.86 on Wed 05/18/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1326 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Suzi2\Desktop\dds.scr
C:\Documents and Settings\Suzi2\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110512215306.dll
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: CAdBlocker Object: {e24ad748-155e-4254-b674-4edf86e7e1df} - c:\progra~1\acronis\privac~1\Blocker.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - {2E071ADC-ADF8-4b4b-8ACB-EDC49E6D45A2} - c:\progra~1\acronis\privac~1\Blocker.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\suzi2\applic~1\mozilla\firefox\profiles\3t77m5o6.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\windows\system32\superadblocker.com\npsabffx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-2 387480]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-13 11608]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-1 84200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-13 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-13 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-12 61960]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2010-12-15 1085440]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-12 363344]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-14 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-1 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-1 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-1 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-1 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-1 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-12 20952]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-2 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-2 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-1 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-1 88736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-30 133104]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2010-12-26 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-30 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-1 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-1 84488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-2 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-2 40552]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 12872]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-18 23:16:24 98816 ----a-w- c:\windows\sed.exe
2011-05-18 23:16:24 89088 ----a-w- c:\windows\MBR.exe
2011-05-18 23:16:24 256512 ----a-w- c:\windows\PEV.exe
2011-05-18 23:16:24 161792 ----a-w- c:\windows\SWREG.exe
2011-05-18 02:15:06 -------- dc----w- c:\docume~1\suzi2\applic~1\SUPERAntiSpyware.com
2011-05-18 02:11:18 -------- dc----w- c:\docume~1\suzi2\applic~1\Avira
2011-05-13 05:31:16 -------- dc----w- c:\docume~1\alluse~1\applic~1\Avira
2011-05-13 05:31:16 -------- d-----w- c:\program files\Avira
2011-05-06 01:03:28 -------- d-----w- c:\windows\system32\LogFiles
2011-05-05 23:41:05 -------- d-----w- c:\program files\Cisco Systems
2011-05-05 23:15:25 -------- dc----w- c:\docume~1\alluse~1\applic~1\Cisco Systems
2011-05-03 07:05:14 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-05-02 13:34:03 215920 ----a-w- c:\windows\system32\muweb.dll
2011-05-02 13:34:03 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-05-02 13:34:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-05-02 01:23:22 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-05-02 01:21:46 -------- dc----w- c:\documents and settings\all users\Microsoft
2011-05-02 01:21:46 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-05-02 01:06:32 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-04-23 21:37:13 0 ----a-w- c:\windows\Griku.bin
2011-04-20 01:41:12 98304 ----a-w- c:\windows\system32\hpzjsn01.dll
2011-04-20 01:41:11 606208 ----a-w- c:\windows\system32\hpotscl.dll
2011-04-20 01:41:11 258122 ----a-w- c:\windows\system32\hpovst08.dll
2011-04-20 01:40:18 180315 ----a-w- c:\windows\system32\hpzsnt12.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2001-05-24 16:59:30 162304 ----a-w- c:\program files\UNWISE.EXE
.
============= FINISH: 20:42:54.15 ===============

#4 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 18 May 2011 - 08:22 PM

More information:

This time, I had to run Combofix, MBAM, and DDS from my wife's user account. Previously I was able to run everything from my user account. Now, I can't get anything to work from my user account (where I first noticed all the problems). If I attempt to open MBAM or Firefox or anything from my user account, the file association dialog opens (the Open With box) and no matter what I select, nothing happens.

Also, Carbonite lost connection with the internet on all user accounts about 11 days ago. And finally the system clock went back to 2003. I was able to reset the clock from my wife's user account, but the MBAM program still says it is 2798 days out of date.

#5 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 20 May 2011 - 03:39 PM

Hi,

I notice that you are using more than one antivirus program (Antivir and McAfee). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.


Next, please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Next, download my Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 21 May 2011 - 11:19 AM

Antivir is now uninstalled, and these are the results from the ESET and the Security Check:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6522
# api_version=3.0.2
# EOSSerial=befee2d67ddaab4bb18ba2449d5a388f
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-05-21 04:59:28
# local_time=2011-05-21 12:59:28 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16774142 0 1 0 0 0 0
# compatibility_mode=5121 16777173 100 75 0 35099796 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=126462
# found=1
# cleaned=1
# scan_time=8295
C:\System Volume Information\_restore{9EE8FFE7-A98B-401B-96FD-32A41CC0A7CC}\RP451\A0090237.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


Results of screen317's Security Check version 0.99.11
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
McAfee AntiVirus Plus
McAfee Virtual Technician
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 21
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10.1.85.3
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
``````````End of Log````````````

And these are the main issues I am still having:

If I attempt to open a program from my old user profile, I get the file association dialog:

Attached File  open with.png   27.65KB   13 downloads

or if I am in my old user profile, and Iattempt to open a utility in the control panel, I get a different error

Attached File  control panel.png   177.23KB   13 downloads

And finally, I have reinstalled it and made sure my firewall isn't blocking it, but carbonite can't access the internet from any user profile.

Attached File  carbonite error.png   17.72KB   12 downloads

Thanks so very much for spending time to help me with this.

#7 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 21 May 2011 - 12:28 PM

The browser hijack is still happening in my old profile as well, google searches are redirected to coupon sites etc.

#8 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 21 May 2011 - 05:25 PM

I was able to fix the Carbonite issue, now the only problems I have are restricted to the old user account.

#9 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 22 May 2011 - 06:57 PM

on the profile that is most functional, I am now getting Google search redirects to urls such as this

http://aplsearch.net...0000000&qaff=14

#10 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 23 May 2011 - 07:22 PM

Looking at your other replies to users who have the same issue as me, if I try to even download exehelper, i get this:

Attached File  exehelper error.jpg   154.49KB   14 downloads

#11 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 26 May 2011 - 02:53 PM

Hi,

My apologies for the delay.

Every time you reply, your post gets pushed to the bottom of my list to reply to.



Ignore the McAfee warning and let it run. It's safe...


Alternatively, backup any useful files on the affected profile, then delete it and create a new profile. Then transfer your backed up files over.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 26 May 2011 - 07:34 PM

Thanks, I believe I understand now about replying correctly, all at once and then don't add anything until I hear back from you.

I deleted all the old Java and installed the most current. I never use Internet Explorer, so I haven't updated it yet.

I was able to download and run exehelper and now the file associations on the old profile work correctly, so I don't think I need to delete the old profile just yet.

This is the exehelper log

exeHelper by Raktor
Build 20100414
Run at 19:12:19 on 05/25/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I have re-run complete MBAM and McAffee scans and they both come back clean.

This is the latest MBAM log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6644

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/25/2011 10:29:52 PM
mbam-log-2011-05-25 (22-29-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 304366
Time elapsed: 1 hour(s), 42 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I am still having occasional hijacks when I do google searches (most are blocked by MBAM Pro), so I know I'm not clean yet. I don't feel comfortable repeating any of the other cleaning efforts without your guidance, so I'll wait to hear from you.

Thanks again. You guys who do this for us are literally unsung heroes.

#13 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 29 May 2011 - 06:26 AM

Hi,

Could you give an example of the hijack? Go ahead and update IE. See if the behavior persists there.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 29 May 2011 - 01:10 PM

IE is updated, and I ran the ESET online again. It found this:

C:\Documents and Settings\Suzi2\Application Data\Sun\Java\Deployment\cache\6.0\39\58ec35a7-404be173 a variant of Java/Exploit.CVE-2010-4452.A trojan cleaned by deleting - quarantined

here are some examples of the hijacks

If i do a google search (using Firefox) for 'XP Security malware' the first site that appears in the search is an ehow url:

How to Get Rid of XP Security Center Malware | eHow.com
How to Get Rid of XP Security Center Malware. XP Security Center is a rogue antispyware program despite its creators advertising it as a legitimate security ...
www.ehow.com Computer Software - Cached - Similar

but if I click on it, I get redirected to

http://www.stopzilla...376&cid=malware

or this

hxxp://scour.com/search/web/Xp%20Security%20Malwar/a53/itcg-20932/v3

another example, if I search for 'best antivirus', the first site on the google search list is a pcmag site

The Best Antivirus Software in 2011 | PCMag.com
Jan 13, 2011 ... If you're still running not antivirus protection, you should be. We'll help you choose a free or premium solution.
The Best Protection - View Slideshow - Panda Antivirus Pro 2011
www.pcmag.com/article2/0,2817,2372364,00.asp - Cached - Similar

But if i click on it, I get redirected to

hxxp://www.pcsecurityshield.com/lp/shield-deluxe-53.aspx?wps800

#15 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 31 May 2011 - 08:17 PM

Hi,

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please download the HostsXpert.

  • Extract the HostsXpert.zip by doing the following:
    • Right-click HostsXpert.zip and select extract all Follow the wizard and extract it to your Desktop
    • Click Finish, double-click the HostsXpert folder and then double-click HostsXpert.exe
  • Press Restore MS Hosts File and press OK.
  • Exit the program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.


Reboot and see if the redirects persist. Do they only happen in Internet Explorer? What about Firefox?
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 02 June 2011 - 05:53 AM

I'm still getting the redirects. Here's an example

hxxp://www.pcsecurityshield.com/lp/shield-deluxe-43.aspx?aid=wps766&Subid=5malware

and to clarify, I only get the redirects when I use Firefox. I don't get them with IE.

#17 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 04 June 2011 - 05:58 PM

Uninstall Firefox completely.

Reboot and ensure that the C:\Program Files\Mozilla folder is deleted.


Grab the latest version of Firefox and see if the redirects persist.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#18 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 04 June 2011 - 07:36 PM

did it, but i'm still getting the redirects

#19 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 07 June 2011 - 06:10 PM

Post a fresh DDS.txt log please. Also grab a fresh copy of ComboFix, run it, and post its log.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 Geographer

Geographer

    New Member

  • Members
  • Pip
  • 26 posts
  • Gender:Male
  • Location:22405

Posted 08 June 2011 - 09:01 AM

Thanks I'll do that, but I won't have access to the damaged computer for a few weeks, so it will be late June before I can post the information.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users